Recall Highlights Medical Device Cybersecurity Issues

On August 29, the FDA announced a recall of 465,000 implantable pacemakers, citing concerns that hackers may be able to take control of the pacemakers’ settings. This would open patients up to danger from improper pacing or rapid depletion of the devices’ batteries, according to the FDA’s statement.  Instead of removing and replacing the pacemakers, the recall is designed so that doctors will install a firmware upgrade that removes the vulnerability.

Newsfactor reports that there have been no reported exploits of the vulnerability and no devices have yet been compromised.

The recall highlights that medical device manufacturers are beginning to take a more focused approach to cybersecurity.  Mac McMillan, CEO of privacy and cybersecurity firm Cynergistek, told Modern Healthcare that “If devicemakers didn’t already have developers sitting around looking at cybersecurity, they now have to incur the costs of making sure their devices stay current. In the past, they’ve developed devices and put them on the market and moved onto the next device. This is a new thing for them.”

Mike Kijewski, CEO of medical device security company Medcrypt, also suggested that the FDA should update its regulations to help medical device companies stay on top of cybersecurity threats.  “If the FDA can say you’re just doing the update for cybersecurity and the changes are minimal and the functionality of the device isn’t changing, they can make the update happen faster,” Kijewski suggested.

Canada’s equivalent of the FDA, Health Canada, is still looking into the vulnerability and its proposed solution, and has set a target of 75 days to resolve the situation.

Nathan Reeves

Nathan Reeves is an associate in our Seattle office. He practices intellectual property law, with an emphasis on litigation.

Mr. Reeves received his Bachelor’s degrees from Walla Walla University, where he also conducted research in materials science. Mr. Reeves received his J.D. from Harvard Law School, where he worked as a clinical intern in the school’s Cyberlaw Clinic and as Managing Editor of the Harvard Journal of Law & Public Policy.

Mr. Reeves joined the firm in 2015. He has experience representing clients in fields ranging from software and web services, to satellite communications, to media and entertainment.

Click here to read full bio
View all posts published by Nathan Reeves »

Leave a Reply

By using this blog, you agree and understand that no information is being provided in the context of any attorney-client relationship. You further agree and understand that nothing herein is intended to be legal advice. This blog is solely informational in nature, and is not intended as, and should not be used as, a substitute for competent legal advice from a retained and licensed attorney in your state. Knobbe Martens LLP makes no representations or warranties as to the accuracy, completeness, timeliness or availability of the information in this blog. Knobbe Martens LLP will not be liable for any injury or damages relating to your use of, or access to, any such information. Knobbe Martens LLP undertakes no obligation to correct or update information on this blog, which may be incorrect or become incorrect or out of date over time. Knobbe Martens LLP reserves the right to alter or delete content or information on the blog at any time. This blog contains links and references to other websites and publications that you may find of interest. Knobbe Martens LLP does not control, promote, endorse or otherwise have any affiliation with any other websites or publications unless those websites or publications expressly state such an affiliation. Knobbe Martens LLP further has no responsibility for, and makes no representations regarding, the content, accuracy or any other aspect of the information in such websites or publications.